Image: / Unsplash

South Africa’s national health lab hit with ransomware attack amid mpox outbreak

South Africa’s National Health Laboratory Service (NHLS) confirmed on Tuesday that it is dealing with a ransomware attack significantly affecting the dissemination of lab results as the country responds to an outbreak of mpox.

A spokesperson for the organization told Recorded Future News that the ransomware attack began Saturday morning and that hackers deleted sections of their system, including backup servers, meaning they will have to rebuild many of the affected parts. 

The NHLS runs 265 laboratories across South Africa that provide testing services for public healthcare facilities in the country’s nine provinces. The spokesperson declined to say which ransomware group was behind the incident or whether a ransom will be paid. 

CEO Koleka Mlisana said in a statement that officials do not know when systems will be restored. Preliminary results of an investigation have shown that databases holding patient information were not lost or compromised.

An unidentified strain of ransomware was used to target specific parts of the agency’s IT systems, “rendering them inaccessible and blocking communication” from databases to and from users. 

“As such, all our systems remain inaccessible both internally and externally including to and from healthcare facilities until the integrity of the environment is secured and repaired,” he said. “All users will be aware that the NHLS networked laboratory system is heavily reliant on these information technology systems that have been disrupted,” Mlisana explained. 

Officials have shut down certain systems to repair the damage and an incident response team has been convened to address the attack. External cybersecurity firms have also been brought in to assist with the attack. 

All the service’s laboratories are still functional and continue to receive and process clinical samples. But under normal circumstances, lab reports are automatically generated and sent to clinicians or made available through the web. 

The ransomware attack has disabled that functionality, forcing more urgent test results to be communicated to doctors over the phone. Some are being printed and sent to hospitals or doctors. 

The ransomware attack has caused alarm in South Africa given the outbreak of mpox, also known as monkeypox. As of Tuesday, three deaths and 16 laboratory-confirmed cases have been found

Jean Kaseya, director general of the Africa Centres for Disease Control and Prevention, said earlier this month that an mMpox outbreak anywhere “is a threat everywhere.” 

“We call for swift and urgent action to increase access to Mpox diagnostics, vaccines and therapeutics for all affected African countries,” Kaseya said

South Africa’s National Department of Health, which has jurisdiction over the organization, directed questions to spokespeople for NHLS.

South African government institutions have been battered by ransomware gangs over the last year. A state-owned bank was attacked last June and in September South Africa’s defense department was hacked by the Snatch gang.

The gang leaked the personal phone number and email of the country’s president alongside a portion of the 1.6 terabytes of data stolen from the country’s defense systems. The government initially denied the attack before admitting that a breach did occur. The country’s International Trade Administration Commission also said it was hit with ransomware in early 2024. 

Ransomware gangs have made a point of targeting critical cogs in healthcare systems across the world this year, with several attacks causing massive downstream impact on those seeking care. In recent weeks, the United Kingdom has had to cancel thousands of operations due to a ransomware attack on a key business providing pathology services for hospitals and local clinics.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.